Wednesday, 5 February 2014

When you
visit a website and download a file, they’ll often offer you the chance to
download a Hash or Checksum for the file. This is
a large, unique number that is created using one of various algorithms, that outputs a
unique sequence of letters and numbers for whatever file has been hashed.

The idea of
this is you can then calculate the hash yourself to confirm if what you’ve
downloaded is the same as what was uploaded by the file owner. The reason a
site may do this is there’s a potential risk that uploads can end up hacked.
That file you downloaded from another site, helpfully storing the file
alongside the main site, may choose to modify the download. Who knows what
nefarious material they added to hack your system after you install or use the
file.

To help
avoid that risk, you can check the Hash generated for the file. An easy to use
tool for this is Quick Hash, a GUI
based Linux and Windows file hashing tool. This can be downloaded from
Sourceforge.net at: http://sourceforge.net/projects/quickhash/

Steps for checking a Hash

1) Copy the
Hash provided on the download site for the file you’re interested in

2) Generate
a Hash for the file you just downloaded

3) Compare
them to ensure they’re the same

Let’s go
through each step on Windows, the process with Quick Hash is just as easy on
Linux.

After you’ve
downloaded Quick Hash, open it and navigate to the ‘Hash File’ tab.

You now have
a simple way to verify your downloads and provide Hash keys for your own files.

Points to note

There are a
few things to be mindful of when working with file Hashes.

Fake Hashes for Hacked files

A download
site could of course generate a Hash for a file themselves. If you’re
concerned, try downloading the file from different sources or ideally from the
original source. You can then generate hashes on all copies of the download and
ensure they are they same.

Different types of Hash

As you saw
in the Quick Hash software there are different types of Hash: MD5, SHA1, SHA256
and SHA512. These represent different algorithms for hashing and you just need
to check your download site for the Hash type they've used so the one you
generate matches.

Any change changes the Hash

If you edit
the file you create a Hash for, even by a single character, the Hash will be
different. Just be aware in case like me you’re a tweaker! If you change the
file, update the Hash.